Security News > 2022 > September > Stealthy hackers target military and weapons contractors in recent attack
Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
The phishing email targeting employees includes a ZIP attachment that contains a shortcut file, which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.
The obfuscation techniques seen by Securonix analysts are reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.
If all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for ".
After the PowerShell stager completes the process, an AES-encrypted final payload is downloaded from the C2. "While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis," explains the researchers.
News URL
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)